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19.3 RSA u r t full fledged public-key algo- 
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binary data, choose the 1^^.K°7^^3;'^^^^^^^^^ and each message block, 

100-digit primes, then wil have )ust under 2UU^^^^ ^ ^.^^^ ^^^^^^ 

should be just under 200 ^Jf^ ^^f^^^^ 

blocks, you can pad them with a °^ j^f^^^de up of similarly sized mes- 

Cj = mi" mod n 

lb decrypt a message, take each encrypted block and compute 
nij = cf mod n 

(mod n) 

.he lornrula recovers the "«»8C;^Th,s « sum^^^^^^^^ I'd'decryp.eO with 
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RSA in Hardware 



The rest of the message can be recovered ia this manner.. 
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Tabic 19.3 
Existing IRSA Chips 



Clock Cycles 
Per 512 Bit 

Encryption Technology 



Company^ .bpcca i^: ' - ^^^jr"—!^^^ 

Alpha Techn. 25 MHz ^ 'aM 1.5 micron 

AmT 15 MHz 2.5 micron 

British Telecom 10 MHz ^ ^ Gate Array , 

Business Sim. Ltd. 5 MHz >J.e^ '^^^ 2 micron 

CalmosSyst:lnc. 20 MHz ^ ^SM 1 micron 

CNET 25 MHz ^-^ ^ '^j^ Gate Array 

Ctyptech il!^"^ fiRK I'^M 1.5 micron 

Cylink 30 MHz 6.8 R 1.4 micron 

. GEC Marconi 25 MHz 10_-i ^ . j ^j^rpn 

Pijnenburg 25 MHz AM 2 micron 

Sandia 8 MHz 3^ 1 micron 

Siemens 5 M Hz 8-5 K ; — _ 
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,^„.io S: Eve wa„« Alice » * She generates <v,o .es»a,ea, m, and 
such that , 
U Eve can get Alice .0 .* ™, and n,. she en„ caleulMO n,.: 

attack. 

Common Modulus Attack on RSA 

A possible RSA implemcnution gjves '«V»n *e s^^^^^^^ 
foi the eitponents e and d. ^^'^'^'^'■''''^I''^''J^'llZo different exponents (both 

Sflentar^oSml^n*^^^^^^^^ 

„.':iulusiIn.Themociphenextme 

ci = m*' mod n 

J _ Here's how he tecovers m. 

*sir:»?:Sariy"ti;;>r^^^^^^ 

and s, such that 
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sages with different publ.c keys '■^''"^ *^ mcsBages, or if the nressages 
agtrnst the system. If there '^'^'\^Z^^TZln.^\ then e messages 



This also ensures that m" mod n * m". Most real-world RSA implementations— PEM . ■ 
and PGlMsee Sections 24.10 and 24:12), . for example— do this. 

Moral: Pad messages with random values before encrypting them; make sure m is 
about the same size as n. 

Low Decryption Exponent Attack against RSA 

Another attack, this one by Michael Wiener, will recover d, when d is up to one 
quarter the size of n and e is less than n [1596]. This rarely occurs if e and d are cho- 
sen at random, and cannot occur if c has a small value. 

Moral: Choose a large value for d. 

Lessons Learned 

Judith Moore hsts several restrictions on the use of RSA, based on the success of 
these attacks (1114,11151: 

— Knowledge of one encryption/decryption pair of exponents for a given 
modulus enables an attacker to factor the modulus. 

— Knowledge of one encryption/decryption pair of exponents for a given 
modulus enables an attacker to calculate other encryption/ 
decryption pairs without having to factor n. 

_ A common modulus should not be used in a protocol using RSA in a 
communications network. (This should be obvious from the previous 
two points.) . 

— Messages should be padded with random values to prevent attacks on 
low encryption exponents. 

The decryption exponent should be large; 

Remember, it is not enough to have a secure cryptographic algorithm. The entire 
cryptosystem must be secure, and the cryptographic protocol must be secure. A fail- 
ure in any of those three areas makes the overall system insecure. 

Attack on Encrypting and Signing with RSA 

It makes sense to sign a message before cnGrypting it (Sec Section 2.7), but not 
everyone follows this practice. With RSA, there is an attack against protocols that 
encrypt before; signing [48]. . . . , „ , , ui- i 

Alice wants to send a message to Bob. First she encrypts it with Bob's pub he key; 
then she signs it with her private key. Her encrypted and signed message looks hke: 

[m'n mod n^]''^ mod iiA - ; 

. Here's how Bob can claim that Alice sent him m' and not ra. Realize that since 
. Bob knows: the factorization of Hi) (it's his modulus), he can calculate discrete loga- 
rithms with respect to ns. Therefore, all he has to do is to find an x such that 
m" - m mod 
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